Background - Privacy & Cybersecurity

Privacy & Cybersecurity for the Energy Sector

CONTACTS +

The U.S. government is increasingly focused on protecting the nation's critical energy infrastructure from destructive cyber and physical attacks and ensuring security within its supply chain. Managing the evolving risks faced by the energy sector requires both a comprehensive understanding of how this sector works and is regulated, and in-depth knowledge of the cyber and physical security environment and its overlapping regulatory framework. Our firm's Energy Security Team includes experienced Energy and Privacy & Cybersecurity lawyers, working together to help clients comply with legal requirements and manage the material risks associated with security and reliability concerns.  

The owners and operators of the nation’s energy infrastructure today face an increasingly complex and risky environment in ensuring the safety, reliability, resilience and physical and cyber security of the system. We provide a robust suite of services to develop our clients’ protective systems, to ensure and verify compliance with applicable rules, to bolster physical, insurance-related and regulatory protections, and to support companies’ incident response in the increasingly likely event of a cyber breach.  These comprehensive services allow our clients to prepare for system-threatening events, to demonstrate compliance to the various federal, state and international regulators who are active in this space, and to support real-time, effective responses to events that threaten the system.

NERC Compliance

Our Energy Security Team advises on all aspects of our clients’ compliance with the mandatory reliability standards enforced by the North American Electric Reliability Corporation (NERC).  NERC violations can result in civil penalty assessments of up to $1,269,500 per violation per day.  Our lawyers regularly advise clients on risk allocation with respect to compliance with and enforcement of the NERC reliability standards in a variety of commercial transactions, including energy asset management and O&M agreements, and the negotiation and administration of agreements with third parties either providing NERC-related services or delegating NERC responsibilities to such third parties.  When necessary, we also assist clients in responding to NERC determinations of alleged violations of NERC electric reliability standards.

Additionally, we regularly help our clients prepare for NERC audits and other NERC compliance monitoring processes (such as self-certification), including reviewing the legal sufficiency of evidence provided by our clients to demonstrate compliance. This can include creating, reviewing, benchmarking and revising clients’ internal compliance programs to ensure that they meet NERC’s electric reliability standards; responding to NERC regional entity inquiries regarding internal compliance programs; and training senior management on NERC compliance, including risk exposure and measures to ensure compliance and mitigate violations.

Mitigating Cyber Risk

Our Energy Security Team has broad experience in helping energy businesses assess their physical and cyber risks and threats, and to develop legally compliant mitigation policies and procedures. As part of our efficient approach to counseling clients, we work with the company's resources, leveraging existing compliance reviews and assessments, in order to identify compliance requirements and best practices that efficiently and effectively protect data, networks, and systems. We also work with technical consultants through a relationship that helps maintain confidentiality and privilege.

A focus of our approach in mitigating cyber risk is to assist our clients in conducting comprehensive and privileged risk assessments and compliance reviews.  These reviews are tailored to each unique client, and typically include assessing and classifying client data; identifying required and recommended data and network safeguards; evaluating organizational governance of information, people, and policies; reviewing training requirements and content for compliance with existing standards; assessing accountability, including the auditing process, risk reporting, and enforcement activities; and reviewing contractual and other components of vendor management and supply chain risk.

We typically conduct our reviews by identifying and assessing our clients’ compliance with a broad range of government regulatory programs that impose obligations to protect sensitive company and personal information, including the Defense Federal Acquisition Regulation Supplement (DFARS); the Chemical Facility Anti-Terrorism Standards (CFATS); the Maritime Transportation Security Act (MTSA), and evolving federal, and state government privacy data breach laws which may impose control standards and incident reporting obligations upon companies, including those in the energy sector.

Incident Response Plans and Training

We also assist clients in developing or enhancing their privacy and cybersecurity policies and procedures, including governance frameworks for escalating events internally and communicating with government partners, incident response plans, vendor management agreements, and insider threat policies.

In order to help ensure that key and responsible individuals understand their obligations under the incident response plans, our Energy Security Team has developed, facilitated, and participated in hundreds of cybersecurity and privacy tabletop exercises – detailed and rigorous simulations of a cyber or privacy incursion that provide invaluable insight into the resiliency of the company’s response protocols. The goals of our tabletop exercises are to identify appropriate actions for each phase of an incident response and to assess the effectiveness of current policies and procedures.  As a result of the exercise we are able to develop a list of targeted suggestions to help mitigate cybersecurity risks and threats.

Crisis Management

We understand the threat landscape and the impact that a cyber incident can have on companies in the energy sector. We represent both clients who are experiencing a security breach, and clients that are alleged to have security or privacy vulnerabilities in their products or services. In these crisis situations, we pack our bags, hit the ground, and remain on site with our clients until the issues are resolved, from the initial internal investigation stage through the communication, government enforcement, and follow-on litigation stages.

SAFETY Act Certifications and Protections

The Support Anti-Terrorism by Fostering Effective Technologies Act (the SAFETY Act), enacted shortly after the 9/11 tragedy, gives the Department of Homeland Security (DHS) authority to encourage the development and use of anti-terrorism technologies and services by providing liability protections to companies that meet DHS criteria.  Since the Act’s passage, DHS has provided SAFETY Act approval to a widening range of cybersecurity products and services, including technology that detects, blocks, tracks, and contains malware threats across multiple threat vectors within an enterprise network.  Once approved, the Act caps third-party tort liability at an approved level of insurance, providing either limited or absolute immunity under some circumstances for losses suffered as a result of terrorist acts.  The Act includes a myriad of other risk management benefits for companies using approved technologies and services, such as exclusive jurisdiction in federal court for suits against sellers of a technology arising from acts of terrorism; a bar against punitive damages and prejudgment interest; a limitation on non-economic damages; and liability only in proportion to the responsibility of the seller.

Our Energy Security Team has helped numerous clients seek and obtain liability protections under the SAFETY Act. We help companies examine whether their security systems, business continuity, physical and cyber-related incident response plans, or other products and services qualify for coverage under the SAFETY Act. And, we help our clients, with the assistance of technical consultants as appropriate, to develop the applications and information to secure the coverage.